b"                                                                                                    Report No. DoDIG-2012-114\n                                                                                                                  July 27, 2012\n\n\n\n\nDEPUTY INSPECTOR GENERAL FOR INTELLIGENCE\n    AND SPECIAL PROGRAM ASSESSMENTS\n\n\n\n\n  Assessment of Security Within the Department of\n             Defense - Security Policy\n\n\n\n\n    This document will not be released(in whole or in part) outside the Department of Defense without the prior\n                     written approval of the Inspector General of the Department of Defense\n\x0cAdditional Copies\nTo obtain additional copies of this report, visit the Web site of the Department of Defense\nInspector General at http://www.dodig.mil/Ir/reports.htm or contact the DoD Office of\nInspector General at (703) 882-4818 or (DSN) 381-4818.\n\nSuggestions for Audits and Evaluations\nTo suggest ideas for or to request future audits or evaluations, contact the Office of the\nDeputy Inspector General for Intelligence and Special Program Assessments at\n(703) 882-4860 (DSN 381-4860) or UNCLASSIFIED fax (571) 372-7451. Ideas and\nrequests can also be mailed to:\n\n                         ODIG-ISPA (ATTN: ISPA Suggestions)\n                         Department of Defense Inspector General\n                          4800 Mark Center Drive (Suite 10J25)\n                               Alexandria, VA 22350-1500\n\n\n\n\nAcronyms and Abbreviations\nDSE                            Defense Security Enterprise\nDSE ExCom                      Defense Security Enterprise Executive Committee\nDTM                            Directive-Type Memorandum\nOUSD(I)                        Office of the Under Secretary of Defense for Intelligence\nSP\xc4\x93D                           Security Professional Education and Development\nUSD(I)                         Under Secretary of Defense for Intelligence\n\x0c\x0cReport No. DoDIG-2012-114 (Project No. D2010-DINT01-0066.003)                               July 27, 2012\n\n\n                Results in Brief: Assessment of Security\n                Within the Department of Defense \xe2\x80\x93\n                Security Policy\n\nWhat We Did                                                The Under Secretary of Defense for Intelligence\n                                                           is in the process of promulgating an overarching\nThis is the third in a series of reports designed to       security policy, \xe2\x80\x9cManagement of the\nprovide an overall assessment of security                  Department of Defense Security Enterprise,\xe2\x80\x9d\npolicies and procedures within the Department.             that provides guidance for a comprehensive and\nIn this report, we assessed how effective                  integrated security framework. This action is\nsecurity policy is in addressing the security              scheduled to be completed in the fourth quarter\nneeds of the Department. We addressed                      of 2012. Also, the Under Secretary of Defense\nsecurity costs, and training, certification, and           for Intelligence has created the Defense Security\nprofessionalization in previous reports.                   Enterprise Executive Committee, a senior-level\nClassification and grading of security jobs will           governance body for the strategic administration\nbe the final report in this series.                        and policy coordination of the Defense Security\n                                                           Enterprise.\nWhat We Found\nWe found that security policies often overlap,             However, until the overarching security policy\nare fragmentary, or inconsistent. In addition,             is promulgated and the Defense Security\nthe sheer volume of security policies that are not         Enterprise Executive Committee becomes an\ncoordinated or integrated makes it difficult for           inculcated and inclusive governing process,\nthose at the field level to ensure consistent and          interoperability issues, redundancies, and other\ncomprehensive policy implementation. While                 inefficiencies will persist.\ncompliance with existing security policies\nremains a central issue, consumers at the field            What We Recommend\nlevel are often required to interpret outdated             We are not making any recommendations in this\nsecurity policy guidance to make it relevant to            report because the overarching security policy\nexisting organizational requirements.                      and the Defense Security Enterprise Executive\n                                                           Committee will ensure an enterprise approach to\nIn the first report in this series, Report No.             security policy across the Department. Further,\n10-INTEL-09, \xe2\x80\x9cAssessment of Security Within                our previous recommendation should ensure\nthe Department of Defense: Tracking and                    that the new Defense Security Enterprise\nMeasuring Security Costs,\xe2\x80\x9d August 6, 2010, we              Executive Committee will be an integral part of\nrecommended a comprehensive and integrated                 policy development and coordination with the\nsecurity framework to facilitate tracking                  requisite authorities to effect changes in security\nsecurity costs, more accurately programming                policy implementation and oversight.\nfuture years security budgets, and examine the\nreturn on investment for security expenditures.\nThe Deputy Under Secretary of Defense for                  Management Comments\nIntelligence and Security agreed, stating that an\noverarching security policy is the necessary first         Although not required, the Deputy Under\nstep to provide a platform for functional                  Secretary of Defense for Intelligence and\nintegration, governance, and strategic resource            Security provided comments in response to this\nmanagement.                                                report.\n\n\n\n\n                                                       i\n\x0cTable of Contents\n\nIntroduction                                                       1\n\nObjectives                                                         1\n\nScope and Methodology                                              1\n\nBackground                                                         2\n\nFinding. DoD Needs an Overarching Security Policy to Advance an    3\n         Integrated Enterprise Approach to Security\n\nAppendix: Prior Coverage                                          10\n\nManagement Comments                                               11\n\x0cIntroduction\nSecurity spans the entire Department and is necessary for the Department to protect its\nresources. Department of Defense security disciplines have as one fundamental purpose\nthe protection of DoD critical assets and must be applied in a fully balanced and\ncoordinated way. Actions taken in one area, for example, physical security, have a direct\nbearing upon actions taken in other areas such as information security. When security\npolicy functions are fragmented, the chances of inconsistent and ineffective protection\nlevels are increased. Employees in security positions, whether it is security\nadministrators, security chiefs, or security clerks, are critical to the national defense and\ndeserve security policy that is clear, concise, and consistently applied to all echelons of\nsecurity. In the absence of security policy that is streamlined, updated and harmonized,\norganizations will waste resources trying to comply with guidance that is potentially\nredundant, outdated and confusing.\n\nObjectives\nThis is the third in a series of reports on security within the Department of Defense and is\nresponsive to a request made by the Under Secretary of Defense for Intelligence (USD(I))\nfor the Office of Inspector General, Department of Defense, to assess the effectiveness of\nsecurity in the Department. Specifically, we are conducting assessments of the following\nissue areas:\n\n       \xe2\x80\xa2   how the Department programs and tracks its security costs and measures the\n           return on investment for security expenditures;\n       \xe2\x80\xa2   how security professionals are trained and certified/professionalized;\n       \xe2\x80\xa2   how effective security policy is in addressing the security needs of the\n           Department; and\n       \xe2\x80\xa2   how security professionals\xe2\x80\x99 jobs are classified and graded.\n\nThis report addresses the effectiveness of security policy in addressing the security needs\nof the Department.\n\nScope and Methodology\nThis assessment was conducted in accordance with Quality Standards for Inspections\nissued by the Council of the Inspectors General on Integrity and Efficiency. Those\nstandards require that we plan and perform the assessment to obtain sufficient appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our\nassessment objectives. We believe that the evidence obtained provides a reasonable basis\nfor our findings and conclusions based on our assessment objectives.\n\nBecause of the size and complexity of addressing security within the Department of\nDefense, we are performing this assessment in phases: phase one, Tracking and\nMeasuring Security Costs; phase two, Training, Certification, and Professionalization;\nphase three, Security Policy; and phase four, Classification and Grading. Subsequent\nreporting may also address security issues within a larger context as additional\ninformation is developed. To accomplish the objective, we reviewed relevant policies\nand guidance and interviewed officials responsible for security policy development and\nimplementation.\n\n\n\n\n                                              1\n\x0cBackground\nThere have been previous assessments of security policies within the DoD. In 1985,\n\xe2\x80\x9cKeeping the Nation\xe2\x80\x99s Secrets: A Report to the Secretary of Defense\xe2\x80\x9d was submitted to\nthe Secretary of Defense by The Commission to Review Department of Defense Security\nPolicy and Practices, headed by Richard G. Stilwell, General, USA (Retired). The report\nemphasized the need to respond to \xe2\x80\x9cthe threat posed by hostile intelligence services by\nestablishing a comprehensive set of policies and procedures designed to prevent\nunauthorized persons from gaining access to classified information.\xe2\x80\x9d The report also\nnoted, however, that while protecting classified information was \xe2\x80\x9cimperative in principle\xe2\x80\x9d\nsecurity policies were crafted in an environment of budgetary constraints and\n\xe2\x80\x9ctempered\xe2\x80\xa6 by operational necessities.\xe2\x80\x9d The report further noted that some policies\nremained in force despite their proven ineffectiveness and concluded that \xe2\x80\x9cin the final\nanalysis, safeguarding classified information comes down to proper supervision and the\nindividual's responsibility to apply the rules.\xe2\x80\x9d\n\nIn 1994, The Joint Security Commission report entitled \xe2\x80\x9cRedefining Security,\xe2\x80\x9d addressed\nsecurity policy and reported that security policy was fragmented. The report also\nidentified the ad hoc manner in which security policies and practices have evolved noting\nthat policy is enumerated in several documents prepared at different times, by different\npeople in response to differing requirements and events \xe2\x80\x93 not as part of a comprehensive\ncoordinated effort. The report further cited the disadvantages of developing policy\nthrough consensus noting that the approach is time consuming, ineffective, and results in\ninadequate policy that has been weakened in order to achieve consensus. According to\nthe report, improvements in security policy could not be achieved without a unifying\nstructure to provide leadership, focus, and direction.\n\nA majority of the issues identified in the above reports remain true today. To date, DoD\nas a whole still needs to address the identified problems with security policies, including\npolicy development and the approval process. In fact, these issues were also identified in\na 2011 Office of the Under Secretary of Defense for Intelligence requested Federated\nSecurity study that assessed the optimal organizational, management, and resourcing\nstructure to best accomplish the Department\xe2\x80\x99s security mission. The study noted that \xe2\x80\x9cthe\nexisting organizational structure of the DoD security enterprise is fragmented with\nfunctions scattered across a number of organizations within DoD components. This\nresults in a lack of central coordination and management of DoD security functions\nwhich include policy implementation and resourcing.\xe2\x80\x9d\n\n\n\n\n                                            2\n\x0cFinding: DoD Needs an Overarching Security Policy to\nAdvance an Integrated Enterprise Approach to Security\nWithin the DoD, security functions are disjointed. Moreover, in each security functional\narea, it is difficult - if not impossible - to manage security policy. While several security\nprograms do exist within components, coordination is inconsistent at the Office of the\nSecretary of Defense level. As a result, DoD security components establish their own\nstrategies, guidance, and reporting channels. This fragmented structure could result in\nineffective application of protection across the Services and commands. The Department\nhas taken steps to address the need for an integrated, coordinated, and comprehensive\nsecurity framework through such measures as the creation of the Defense Security\nEnterprise Executive Committee (DSE ExCom), the Security Professional Education and\nDevelopment (SP\xc4\x93D) program, and an overarching security policy that provides guidance\nfor a comprehensive and integrated security framework - \xe2\x80\x9cManagement of the\nDepartment of Defense Security Enterprise.\xe2\x80\x9d However, DoD needs to promulgate the\noverarching policy in order to solidify the DSE ExCom and to strengthening security\npolicy and enterprise management. This will significantly advance efforts to\ncomprehensively integrated security guidance and ensure conformance with the\ndeveloping enterprise paradigm within the Department.\n\nDoD Enterprise Approach\nAs we have consistently stated, security is a critical function that spans the entire\nDepartment; and, as such, functional integration, governance, and strategic resource\nmanagement can be better leveraged through an enterprise approach to security\nmanagement. In responding to the recommendation in the first report in this series, the\nDeputy Under Secretary of Defense for Intelligence and Security stated that \xe2\x80\x9cSecurity\npolicy administration within the Office of the Secretary of Defense is also fragmented.\nFor example, information systems security comprises a significant portion of the costs\nincurred, but policy administration and oversight of this critical function are external to\nthe Office of the Under Secretary of Defense for Intelligence. As a result, a process for\ndecision-making and governance would have to be established to achieve the\ncomprehensive security framework you recommend.\xe2\x80\x9d\nCurrent Enterprise efforts include DoD moving forward by creating an overarching\nsecurity directive, DoD Directive 5200.LL, \xe2\x80\x9cManagement of the Defense Security\nEnterprise,\xe2\x80\x9d (Draft - with an anticipated publish date in fourth quarter FY 2012),\nconsistent with the authorities assigned in DoD Directive, 5143.01, \xe2\x80\x9cUnder Secretary of\nDefense for Intelligence (USD(I)),\xe2\x80\x9d November 23, 2005, establishes policy and assigns\nresponsibility for the management of the Defense Security Enterprise (DSE). It provides\ndirection for a comprehensive DSE policy and oversight framework and governance\nstructure to safeguard personnel, information, operations, resources, technologies, and\nfacilities against harm, loss, or hostile acts and influences. It deconflicts the DSE from\nother DoD security related functions such as force protection and provides for the\nalignment, synchronization, support, and integration of those related security functions.\nIt assigns responsibilities related to the DSE to the Defense Security Executive, and\nprovides a common lexicon for the DSE.\n\nIt also established the DSE ExCom. The objective of the DSE ExCom is to provide\nenterprise-wide and converged organizational governance to the development,\nimplementation, and oversight of security policy and security workforce development.\n\n                                              3\n\x0cMembers comprise senior leadership from key components in the Department who have\ncorresponding oversight responsibility for security functions. The DSE ExCom\nrepresents a significant transformation in the way the Department is approaching security\nmatters.\n\nDoD 3305 series of issuances address the training, education, and professional\ndevelopment needs of the DoD Intelligence Enterprise. The series authorizes DoD\nfunctional managers and training councils to define workforce training standards. The\ntraining and professionalization of intelligence and security personnel is governed by\nthese issuances. We addressed DoD Instruction 3305.13, \xe2\x80\x9cDoD Security Training,\xe2\x80\x9d\nDecember 18, 2007, in a previous report on security training, certification, and\nprofessionalization. The instruction resulted in the creation of the Defense Security\nTraining Council. The training council provides the means through which security\ntraining issues, policy changes, establishment of standards, allocation of responsibilities,\nand other related topics can be addressed and recommendations made to the USD(I). The\ncouncil incorporates a coordinated approach to security training and professionalization.\n\nA major contributing factor to the training, education, and professional development\nefforts is the SP\xc4\x93D Program, which is a DoD-wide security training and certification\nprogram that will identify security proficiencies and accountabilities. When fully\nimplemented by the fourth quarter of 2014, SP\xc4\x93D will provide the DoD security\nworkforce a path towards professionalization and will establish standardized\ncompetencies across DoD components. Detailed information about the SP\xc4\x93D program\ncan be found in our previous assessment 1 on security training, certification, and\nprofessionalization.\n\nCurrent Security Policy\nDoD components must be compliant with a number of security policies which can be\nredundant and outdated. Central oversight of security policies is only in its formative\nstages with the creation of the Defense Security Oversight and Assessment Program. 2\nThere is also no agreed upon lexicon for security, with the one exception being\nInformation Assurance. The fragmentation and lack of top-down coordination of the\nsecurity enterprise undermines the DoD mission and national security. The current\norganizational structure makes it difficult for any high-level decision-maker to know\nwhether security functions are being adequately fulfilled. In effect, security policy is\nstove-piped, making it difficult to identify a senior level focal point for security\nprograms.\n\nDoD security policy is fragmented, redundant, and inconsistent; in part, because of the\nlack of an integrated security framework. The Department has a significant number of\nsecurity policy publications, and specializations which cause redundancies,\ninconsistencies, and gaps in the creation and implementation of security measures.\nCurrently, the Department has 23 security functional areas \xe2\x80\x93 each with its own set of\n\n\n1\n  \xe2\x80\x9cAssessment of Security Within the Department of Defense \xe2\x80\x93 Training, Certification, and\nProfessionalization,\xe2\x80\x9d Report No. DoDIG-2012-001, October 6, 2011. This is the second report in the series\nof assessments.\n2\n  As part of its strategic oversight of security role in the DoD, on September 30, 2010, the OUSD(I)\nestablished the Defense Security Oversight and Assessment Program, with the primary purpose of gaining\nawareness of the health of the Defense Security Enterprise and making policy, planning, and advocate\nresourcing decisions necessary for continued improvement.\n\n                                                   4\n\x0crelated security issuances. It is difficult to provide oversight and training associated in\nmost security disciplines when there are no clearly defined responsibilities and lines of\nauthority for information security, physical security, and information assurance when\ndealing with information protection.\n\nCritical infrastructure protection, nuclear physical security, cybersecurity, supply chain\nrisk management, insider threat, force protection, foreign disclosure, technology transfer,\ninformation assurance and other DoD functional areas should influence and be influenced\nby security policy and oversight \xe2\x80\x93 the core responsibility of the Principal Staff Assistant\nfor Security. However, no formal mechanism exists to exercise executive-level\nleadership that incorporates and integrates the views of all of these functions into a\ncohesive departmental security program with comprehensive, non-duplicative, and\nmutually understood roles and responsibilities. In the absence of an overarching security\npolicy that provides a means for organizational coordination, resulting policy can be\nstove piped, overlapping, and contradictory.\n\nThe Assistant Secretary of Defense for Homeland Defense and Americas\xe2\x80\x99 Security\nAffairs oversees Mission Assurance, Anti-Terrorism, Insider Threat, Cyber Security,\nCritical Infrastructure Protection, Force Protection, and Supply Chain Risk Management.\nThe Under Secretary of Defense for Acquisition, Technology, and Logistics oversees\nnuclear physical security; the Under Secretary of Defense for Policy oversees foreign\ndisclosure; and the DoD Chief Information Officer oversees information assurance.\n\nThese DoD functional areas should influence and be influenced by security policy and\noversight \xe2\x80\x93 the core responsibility of the Principal Staff Assistant for Security.\nDoD Directive 5143.01, \xe2\x80\x9cUnder Secretary of Defense for Intelligence (USD(I)),\xe2\x80\x9d\nNovember 23, 2005, paragraph 4 states that \xe2\x80\x9cThe USD(I) is the [Principal Staff Assistant]\nand advisor to the Secretary and Deputy Secretary of Defense regarding\xe2\x80\xa6security\xe2\x80\xa6\xe2\x80\x9d\nThe USD(I) has the authority to develop and integrate risk-managed security and\nprotection policies and programs; and develop, coordinate, and oversee the\nimplementation of DoD security policies and programs.\n\nThe Deputy Under Secretary of Defense for Intelligence and Security, through the\nOUSD(I) Director of Security, has personnel who are responsible for maintaining the 43\npolicies promulgated by the office, covering the functional areas of information security,\nindustrial security, operations security, research and technology protection, personnel\nsecurity, physical security, and special access programs. However, no overarching policy\nexists that blends these policies into an integrated security framework for the Department.\n\nOverlapping policies can not only be confusing, but there is a need to reduce potential\nduplication across federal programs, save tax dollars, and more efficiently use available\nresources. Accordingly, DoD security lines of authority and security policy should be\nrevised to avoid redundancy and inconsistencies. A review of Information Security\npolicy reveals overlaps between the following issuances:\n\n\n   \xe2\x80\xa2   DoD Directive 5210.83, \xe2\x80\x9cDepartment of Defense Unclassified Controlled Nuclear\n       Information,\xe2\x80\x9d overlaps with personnel security matters by addressing persons\n       authorized to access DoD unclassified controlled nuclear information and\n       detailing how to obtain authorization to access the information. The issuance\n       establishes access guidance for federal employees, contractors, congressional\n       officials and other designated authorities. The issuance also identifies the\n       appropriate process for marking unclassified controlled nuclear information and\n\n                                              5\n\x0c       thus overlaps with recent guidance for the appropriate handling and marking of\n       controlled unclassified information as set forth in DoD Manual 5200.01, Volume\n       4, \xe2\x80\x9cDoD Information Security Program: Controlled Unclassified Information\n       (CUI),\xe2\x80\x9d February 24, 2012.\n\n   \xe2\x80\xa2   DoD Instruction 5200.33, \xe2\x80\x9cDefense Courier Operations (DCO),\xe2\x80\x9d overlaps with\n       physical security as it identifies standards for material storage for items in courier\n       possession, escort requirements and material transit specifications. The issuance\n       also overlaps with personnel security by identifying the security clearance and\n       suitability standards for courier personnel.\n\n   \xe2\x80\xa2   DoD Instruction 5200.39, \xe2\x80\x9cCritical Program Information Protection Within the\n       Department of Defense,\xe2\x80\x9d overlaps with industrial security as it addresses the\n       conduct of security inspections at cleared Defense contractor facilities as well as\n       coordination with defense contractors. In addition, the instruction overlaps with\n       matters related to operations security, personnel security, and physical security.\n\nAdditional review of physical security policy revealed the following policy overlaps.\n\n   \xe2\x80\xa2   DoD Instruction 5100.76 \xe2\x80\x9cSafeguarding Conventional Arms, Ammunition, and\n       Explosives (AA&E)\xe2\x80\x9d overlaps with physical security as it includes guidance for\n       the proper safeguarding of Conventional AA&E against theft, loss, sabotage,\n       damage, or unauthorized use. The instruction also addresses personnel security\n       and foreign visits and assignments and overlaps with research and technology\n       protection.\n\n   \xe2\x80\xa2   DoD Instruction 5210.65, \xe2\x80\x9cMinimum Security Standards for Safeguarding\n       Chemical Agents,\xe2\x80\x9d overlaps with industrial security with the provision of security\n       standards for facilities that produce, store, use, train with, transfer, and/or destroy\n       chemical agents. The instruction overlaps with personnel security by identifying\n       standards for Individuals certified by Certifying Officials with a legitimate need\n       to handle and/or use chemical agents. In addition, the requirement for a secure\n       inventory database system and information protection measures to verify the\n       appropriate security of information on chemical agents impinge on areas related\n       to information security.\n\n   \xe2\x80\xa2   DoD Regulation 5200.08-R, \xe2\x80\x9cPhysical Security Program\xe2\x80\x9d prescribes minimum\n       standards for the security of personnel, installations, military operations, and\n       certain additional assets. As such, it overlaps with personnel security with respect\n       to checks, issuance of clearances and identification cards; information security\n       with respect to access to government systems and the coordination of physical\n       security for automated information systems.\n\nThe above examples are not comprehensive. There are additional security policies with\noverlapping areas of control or guidance. These policies illustrate the integrated nature of\nsecurity throughout the department and reflect the need for an enterprise approach in\ncreating security policy.\n\nFragmentary security policies have been identified in previous DoD-sponsored studies.\nThe earlier referenced Federated Security Study that assessed the optimal organizational,\nmanagement, and resourcing structure to best accomplish the Department\xe2\x80\x99s security\nmission identified the DoD Manual 5220.22-M, \xe2\x80\x9cNational Industrial Security Program\n\n\n                                              6\n\x0cOperating Manual,\xe2\x80\x9d as an issuance that does not reference requirements for Special\nNuclear Material and does not cover operational data integrity and system availability,\nnor does it address controlled unclassified information. However, there is a draft 5220.22\nmanual that is undergoing formal coordination. These issues should be addressed in the\nrevised version of the manual. An additional issuance, DoD Regulation 5200.2-R offers\nguidance for the safeguarding of personnel security investigative records but provides no\ndirection regarding training of personnel tasked to safeguard records or the potential\nconsequences for the deliberate or unintentional compromise of personnel security\ninformation.\n\nInconsistent security policies make it difficult for end-users to be in compliance with\nexisting guidance. The following policies are potential examples where guidance needs\nto be congruent or harmonized.\n\n   \xe2\x80\xa2   DTM 09-012, requires coordination with personnel security due to vetting and\n       adjudication procedures of personnel receiving U.S. Government identification\n       credentials. The two functions must work together to eliminate conflicting\n       implementation guidance. It also has implications on industrial security for\n       contractors and information security for network requirements.\n\n   \xe2\x80\xa2   DTM 04-010, \xe2\x80\x9cInterim Information Security Guidance,\xe2\x80\x9d addresses a variety of\n       issues, but does not assign specific responsibilities to specific organizations.\n\n   \xe2\x80\xa2   DoD 5200.08-R, sets the stage for establishing common baseline physical security\n       standards for all DoD Components, and then delegates implementation of that\n       posture to each Component and its respective Component Head.\n\nDoD Directive 5200.2, \xe2\x80\x9cPersonnel Security Program,\xe2\x80\x9d was generally adequate with the\nexception of reciprocal acceptance of prior investigations and personnel security\ndeterminations. This is not uniform across the federal government. DoD has exceptions\nto certain types of investigations completed by other than DoD agencies. In the special\naccess program area, DoD component Special Access Program Coordination Offices\nhave documented agreements in place to accept no-waiver special access program\neligibility determinations. There is still a challenge between the intelligence community\nand DoD in creating consistent standards for eligibility and reciprocity between sensitive\ncompartmented information and DoD special access programs.\n\nThe personnel security requirements for individuals that require access to sensitive\ncompartmented information are contained within Director of Central Intelligence\nDirective 6/4 and DoD 5105.21-M-1, \xe2\x80\x9cDepartment of Defense Sensitive Compartmented\nInformation Administrative Security Manual,\xe2\x80\x9d August 1998; while the Joint Air Force,\nArmy, Navy 6/4 manual provides the same requirements for the special access program\ncommunity.\n\nDepartment of Defense Instruction 5205.13, \xe2\x80\x9cDefense Industry Base (DIB) Cyber\nSecurity/Information Assurance (CS/IA) Activities, January 29, 2010, does not address\nhow DoD and the Defense Industrial Base will conjointly address certification and\naccreditation efforts of Defense Industrial Base systems, what standard to use, (e.g. the\nDoD Information Assurance Certification and Accreditation Process), and how this will\nbe overseen.\n\n\n\n\n                                            7\n\x0cSurvey Results Regarding Security Policy\nThe above issues were also expressed in surveys that our office conducted in connection\nwith this assessment. We solicited input from Security Managers via surveys in an\nattempt to ascertain the state of security policy across organizations, Services, and\ncommands. Respondents were provided with a password to access the survey online.\nThe survey was sent to 48 Security Managers throughout the DoD and addressed funding,\ncertification and training, classification and grading, and policy issues related to security.\n\nAs the security managers of their respective organizations, respondents were able to\nprovide knowledgeable responses and a perspective of security operations in the field\nwhere policy is implemented, which in turn informed this report. We received a response\nrate of 35%. Survey respondents noted that security policy is effective; however, one\nthird of the Security Managers had inconsistent, overlapping, or difficult to implement\npolicy.\n\nA majority of survey respondents stated that they would like to see specific guidance\ndirecting the field and the central adjudication facilities to accept other organizations'\nadjudicative decisions, the reciprocal acceptance of prior investigations and personnel\nsecurity determinations when processing new hires from the Services or when contractor\npersonnel change to another contract or contracting company. With one overarching\npolicy, personnel security delays in these cases could be eliminated and have the potential\nto save money for the Department.\n\nMore than one quarter of the survey respondents had serious concerns about the\ninformation security program, DoD Instruction 5200.01. Specifically, the concerns were\nabsence of a consistent standard for marking classified information across the\nDepartment and whether the Information Security Oversight Office or Controlled Access\nProgram Coordination Office guidance had primacy within the DoD. With one\noverarching policy, guidelines could be established to create one standard, regardless of\nagency, for marking, handling, transporting, or transmitting classified information.\n\nAn additional concern listed by survey respondents was the redundant policy within the\nphysical security program, DoD Regulation 5200.08-R and the DoD antiterrorism/force\nprotection program, DoD Directive 2000.12. For example, one survey respondent stated\n\xe2\x80\x9cI am constantly amazed at why we (the DoD) have separate physical security and\nantiterrorism programs. They are two sides of the same coin and are often duplicative\nand redundant.\xe2\x80\x9d\n\nBest Practice\nThe Air Force is making great strides in streamlining their security policies by\nundertaking efforts to consolidate security policy issuances. These efforts should be\nencouraged. The organization has unity of command over security functions by having a\nsingle senior executive reporting directly to the Secretary of the Air Force. The\nAdministrative Assistant to the Secretary of the Air Force is the Senior Security Official\nand has established the Air Force Security Policy and Oversight Board comprising\ngeneral officer and executive-level membership from across Air Force security and\nincluding key functions such as information assurance, legislative affairs, and others. As\nits name implies, the board decides on key initiatives and policy to be applied Air Force\nwide.\n\n\n\n\n                                              8\n\x0cAir Force Policy Directive 16-14, \xe2\x80\x9cInformation Protection,\xe2\x80\x9d September 28, 2010,\nestablishes policies and responsibilities for the oversight, management, and execution of\nprotecting Air Force information across the Air Force Enterprise regardless of where the\ninformation exists. The Directive consolidates DoD Instruction 5200.01, \xe2\x80\x9cDoD\nInformation Security Program and Protection of Sensitive Compartmented Information,\xe2\x80\x9d\nOctober 9, 2008, and DoD Directive 8500.01E, \xe2\x80\x9cInformation Assurance,\xe2\x80\x9d April 23, 2007,\nand selected information protection policy from Air Force Policy Directive 10-7,\n\xe2\x80\x9cInformation Operations;\xe2\x80\x9d Air Force Policy Directive 33-3, \xe2\x80\x9cInformation Management;\xe2\x80\x9d\nAir Force Policy Directive 35-1, \xe2\x80\x9cPublic Affairs Management;\xe2\x80\x9d Air Force Policy\nDirective 16-6, \xe2\x80\x9cArms Control Agreement;\xe2\x80\x9d Air Force Policy Directive 61-2,\n\xe2\x80\x9cManagement of Scientific and Technical Information;\xe2\x80\x9d and Air Force Policy Directive\n63-1/Air Force Policy Directive 20-1, \xe2\x80\x9cAcquisition and Sustainment Life Cycle\nManagement.\xe2\x80\x9d\n\nConclusion\nIn the first report in this series, Report No. 10-INTEL-09, \xe2\x80\x9cAssessment of Security\nWithin the Department of Defense: Tracking and Measuring Security Costs,\xe2\x80\x9d August 6,\n2010, we recommended a comprehensive and integrated security framework to facilitate\ntracking security costs, more accurately programming future years security budgets, and\nexamine the return on investment for security expenditures.\n\nWe are not making any recommendations in this report because we believe that the\nprevious recommendation, if implemented in a timely manner, will ensure an enterprise\napproach to security policy management across the Department. Further, our\nrecommendations will ensure that the new DSE ExCom, with its inaugural meeting in\nJanuary 2012, will be an integral part of policy development and coordination with the\nrequisite authorities to effect changes in security policy implementation and oversight.\n\nThe DSE ExCom is furthering an enterprise-wide and converged organization perspective to\nsecurity policy development, oversight, and implementation. The DSE ExCom will enable a\nunified Defense perspective on security issues across the DoD and provides a means to more\neffectively interface with external agencies and organizations. This integrated approach\nshould be reflected in the existing security policy construct. At present, however,\nsecurity policy is not in accordance with the DoD enterprise approach. Interviews,\ndirected studies, and surveys have identified DoD security policy that is fragmented,\nredundant, and inconsistent.\n\nAn overarching security policy could lay the groundwork for an integrated framework for\nsecurity policy implementation, provide an archetype for policy harmonization, and\nensure greater security policy coordination and integration. DoD needs to promulgate the\noverarching policy in order to solidify the DSE ExCom and to strengthen security policy\nand enterprise management. This will significantly advance efforts to comprehensively\nintegrate security guidance and ensure conformance with the developing enterprise\nparadigm within the Department.\n\n\n\n\n                                            9\n\x0cAPPENDIX: Prior Coverage\nDuring the last 5 years, the Government Accountability Office (GAO) and the\nDepartment of Defense Inspector General (DoDIG) have issued four reports that have\naddressed security specific to the DoD and national security enterprise. Unrestricted\nGAO reports can be accessed over the Internet at http://www.gao.gov. Unrestricted DoD\nIG reports can be accessed at http://www.dodigmil/Ir/reports.\n\n\nGAO\nGAO Report No. GAO-09-0904SP, \xe2\x80\x9cKey Issues for Congressional Oversight of National\nSecurity Strategies, Organizations, Workforce, and Information Sharing,\xe2\x80\x9d September\n2009\n\n\nDoD IG\nDoD IG Report No. 10-Intel-09, \xe2\x80\x9cAssessment of Security Within the Department of\nDefense \xe2\x80\x93 Tracking and Measuring Security Costs,\xe2\x80\x9d August 6, 2010\n\nDoD IG Report No. DoDIG-2012-001, \xe2\x80\x9cAssessment of Security Within the Department\nof Defense \xe2\x80\x93 Training, Certification, and Professionalization,\xe2\x80\x9d October 6, 2011\n\n\n\n\n                                         10\n\x0cOffice of the Under Secretary of Defense for Intelligence\n  Comments\n\n\n\n\n                       Click to add JPEG file\n\n\n\n\n                                     11\n\x0c\x0c"